Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea
June 5, 2025, 12:46 a.m.
Description
A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access method remains unknown. The attacks involve memory patching of management software and use of downloaders. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and T-Rex CoinMiner. Unlike typical coin mining operations using XMRig for Monero, this actor employs T-Rex, likely due to the presence of high-performance GPUs in Internet café PCs. The attacks have been ongoing since late 2024, prompting responses from management software manufacturers.
Tags
Date
- Created: June 4, 2025, 8:38 p.m.
- Published: June 4, 2025, 8:38 p.m.
- Modified: June 5, 2025, 12:46 a.m.
Indicators
- d172c757fe0f095054704ef5449dc2c95f98d1385cf50a28932de6c5484cc67c
- b46a32f1e37499aaf7a13fa3826b45bba49f268929a565c127761a40cfb84e80
- 122.199.149.129
- 121.67.87.250
- 115.23.126.178
- 113.21.17.102
- 112.217.151.10
- 103.25.19.32
- 121.147.158.132
Attack Patterns
Additional Informations
- Korea, Republic of